MuddyWater's Dindoor Backdoor: Iranian Hackers Embed in US Banks and Airports

If you work in cybersecurity and thought nation-state threats were someone else's problem, MuddyWater just crashed that party. New research from Broadcom's Symantec and Carbon Black Threat Hunter Team has uncovered evidence of the Iranian hacking group embedding itself in multiple U.S. organizations, and the target list reads like critical infrastructure bingo. We're talking banks, airports, non-profits, and a software company that supplies the defense and aerospace industries.

The activity, attributed to the state-sponsored group known as MuddyWater (also tracked as Seedworm), is affiliated with Iran's Ministry of Intelligence and Security. This isn't some rogue operation from a basement in Tehran. This is government-backed cyber espionage, and it's happening in American networks right now.

The campaign appears to have kicked off in early February 2026, with activity ramping up noticeably following U.S. and Israeli military strikes on Iran. If you've been following geopolitical news, you know tensions in the region have been escalating significantly. What you might not realize is how directly that translates to cyber operations targeting Western infrastructure.

MuddyWater has a documented history of cyber espionage, but this campaign introduces some new tools to their arsenal. The researchers identified a previously unknown backdoor they've dubbed "Dindoor," which leverages the Deno JavaScript runtime for execution. Deno is a legitimate, modern runtime environment that's increasingly popular with developers, which makes it an attractive choice for attackers looking to blend in with normal traffic and evade detection.

The software company targeted in this campaign is particularly concerning. According to Symantec, the company supplies the defense and aerospace industries and has operations in Israel. The Israel operation appears to have been the primary target, but the implications extend far beyond a single subsidiary. Defense contractors are high-value targets because compromising them can provide access to sensitive information about military capabilities, supply chains, and strategic planning.

Alongside the Dindoor backdoor, researchers also discovered evidence of data exfiltration attempts. The attackers used Rclone, a popular command-line program for managing cloud storage, to transfer data to a Wasabi cloud storage bucket. Whether they successfully extracted sensitive information remains unclear, but the intent was obvious.

A U.S. airport and a non-profit organization in the network weren't infected with Dindoor, but they did receive a different piece of malware. A Python backdoor called "Fakeset" was downloaded from servers belonging to Backblaze, an American cloud storage and data backup provider. Here's where the attribution gets interesting: the digital certificate used to sign Fakeset has also been used to sign Stagecomp and Darkcomp malware, both of which have previously been linked to MuddyWater operations.

Using the same code-signing certificates across different operations is a classic operational security mistake, and it's exactly the kind of forensic breadcrumb that allows researchers to connect seemingly disparate incidents to a single actor.

It would be a mistake to dismiss MuddyWater as a second-tier threat. Iranian threat actors have become increasingly proficient in recent years, and their tooling and techniques have evolved substantially. They've demonstrated strong social engineering capabilities, including sophisticated spear-phishing campaigns and "honeytrap" operations where operatives build relationships with targets over time to gain access to accounts or sensitive information.

This isn't the spray-and-pray approach of commodity ransomware gangs. This is patient, targeted, and strategically motivated espionage.

The broader context makes this even more concerning. According to Check Point research, the pro-Palestinian hacktivist group known as Handala Hack (also tracked as Void Manticore) has been routing operations through Starlink IP ranges to probe externally facing applications for misconfigurations and weak credentials. Multiple Iran-nexus adversaries, including groups like Agrius (Pink Sandstorm), have been scanning for vulnerable Hikvision cameras and video intercom solutions using known security flaws.

The targeting has intensified significantly in Israel and Gulf countries including the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus. The activity specifically targets cameras from Dahua and Hikvision, exploiting vulnerabilities like CVE-2017-7921, CVE-2023-6895, CVE-2021-36260, CVE-2025-34067, and CVE-2021-33044. Check Point's assessment suggests Iran leverages camera compromise for operational support and ongoing battle damage assessment for missile operations, potentially in some cases prior to missile launches. Tracking camera-targeting activity from specific attributed infrastructures may serve as an early indicator of potential follow-on kinetic activity.

Beyond espionage, active wiper campaigns are reportedly underway against Israeli energy, financial, government, and utility sectors. Iran's wiper arsenal includes over 15 malware families, including ZeroCleare, Meteor, Dustman, DEADWOOD, Apostle, BFG Agonizer, MultiLayer, PartialWasher, and others. These tools aren't designed to steal data or hold systems for ransom. They're designed to destroy, and they represent a clear escalation in cyber warfare doctrine.

LevelBlue's research indicates that Iranian state-sponsored APT groups like MuddyWater, Charming Kitten, OilRig, Elfin, and Fox Kitten have demonstrated clear signs of activation and rapid retooling, positioning themselves for retaliatory operations amid the escalating conflict. Cyber represents one of Iran's most accessible asymmetric tools for retaliation against Gulf states that condemned its attacks and support U.S. operations.

Between February 28 and March 2, 2026, the pro-Russia hacktivist group Z-Pentest claimed responsibility for compromising several U.S.-based entities, including ICS and SCADA systems and multiple CCTV networks. The timing of these claims, coinciding with Operation Epic Fury, suggests Z-Pentest likely began prioritizing U.S. entities as targets.

If you're reading this and thinking your organization isn't important enough to attract nation-state attention, think again. The airport, bank, non-profit, and software company targeted in this campaign probably thought the same thing. Attackers don't always go after the obvious high-profile targets. Sometimes they go after the weak link in a supply chain, the overlooked vendor with access to sensitive systems, or the regional organization that happens to provide services to a more strategic target.

The Canadian Centre for Cyber Security has issued an advisory cautioning that Iran will likely use its cyber apparatus to stage retaliatory attacks against critical infrastructure and conduct information operations to further the regime's interests. Western organizations should remain on high alert for potential cyber responses as the conflict continues, and activity may move beyond hacktivism into genuinely destructive operations.

Practical defensive measures include strengthening monitoring capabilities and limiting exposure to the internet wherever possible. Organizations should disable remote access to operational technology systems unless absolutely necessary, and even then implement strict controls. Enforcing phishing-resistant multi-factor authentication is essential, as Iranian operators have shown a preference for credential theft, password spraying, and social engineering as their primary initial access techniques. Network segmentation can limit the blast radius if attackers do gain a foothold, and offline backups remain critical insurance against wiper attacks. All internet-facing applications, VPN gateways, and edge devices should be updated and patched promptly.

Iran's offensive cyber capability has matured into a durable instrument of state power used to support intelligence collection, regional influence, and strategic signaling during periods of geopolitical tension. A defining feature of Iran's current cyber doctrine is its emphasis on identity and cloud control planes as the primary attack surface. Rather than prioritizing zero-day exploitation or highly novel malware at scale, Iranian operators tend to focus on repeatable access techniques followed by persistence through widely deployed enterprise services.

The conflict between Iran and Western nations is playing out in cyberspace as much as anywhere else, and MuddyWater's Dindoor campaign is just the latest evidence that U.S. organizations of all types are in the crosshairs. Patch your systems, train your users, and watch your logs. The threat is very real, and it's not going away anytime soon.